Malicious hackers and their interest in bypassing CAPTCHA

The topic is being discussed in multiple hacking forums hosted on deep and dark web. Threat actors have shown special interest in developing projects to bypass the implementation of the Completely Automated Public Turing Test to tell Computers and Humans Apart, most commonly known as CAPTCHA, as reported by researchers specializing in digital forensics and cybersecurity.

According to experts in digital forensics from the International Institute of Cyber Security, the CAPTCHA is designed to stop automated spam online by requiring users to verify text or images that are only recognizable to humans. Popular CAPTCHA uses include minimizing the effectiveness of bots in deploying distributed denial-of-service (DDoS) attacks, creating email accounts, and purchasing event tickets online. Currently, malicious actors who want to automate these activities or other harmful online operations have a great interest in bypassing the CAPTCHA.

Cybersecurity and digital forensics experts recently discovered a series of discussions among malicious hackers about the bypass of CAPTCHA in an English speaking basic-level Search Engine Optimization (SEO) forum. A threat actor raised the question of how to omit CAPTCHA using Python and Selenium scripts, and members responded with various suggested tips and tactics. Common shared recommendations among threat actors included the use of several legitimate and open-source CAPTCHA bypass services, most of which are designed to help people with visual disabilities or dyslexia.

However, analysts also observed two illicit tools for sale that, according to their developers, are able to bypass CAPTCHA. The first tool appears to be a stolen copy of some social media marketing software that automates friends adding, while the second is a type of SEO software frequently abused by threat actors to spread spam by email or in the comment sections of different platforms.

According to its developers, this second tool is able to “decode” more than 400 types of CAPTCHA in its default form, and supposedly can decode even more variants using a plugin sold separately. The analysts responsible for the investigation have not confirmed that neither of the two tools is capable of performing the announced tasks.

The increase in the frequency with which this issue arises in different forums of black hat hacking has been constant since the middle of last year, but so far there seems to be no evidence that these discussions have motivated any new activity in practice.

Since the CAPTCHA is a vital tool in combating the automation of online malicious activities such as DDoS attacks and spam distribution, the possibility of malicious hackers being able to circumvent the CAPTCHA continues to be the reason for discussion among the cybersecurity community.

Given the level of interest this topic has reached in the deep and dark web forums, digital forensic experts predict that threat actors will continue to seek methods to bypass this program. Organizations that use CAPTCHA to defend their websites and networks must be aware of the ongoing efforts of malicious actors to overlook this test, and if these efforts are successful, they must tailor their security tactics to suit the threat levels.